b'                                                  NATIONAL SCIENCE FOUNDATION\n                                                   OFFICE OF INSPECTOR GENERAL\n                                                     OFFICE OF INVESTIGATIONS\n\n                                            CLOSEOUT MEMORANDUM\n\n Case Number: A11070051                                                                      Page 1 of 1\n\n\n\n                 We received an allegation that a reviewer 1 posted links to 22 confidential NSF proposals,\n         all from the same panel,2 on a website. Our investigation determined that the reviewer had\n         another person place the proposals on a personal page within a website, which he believed was\n         private. The page was not private and the proposals became temporarily available for public view\n         via search engine. At least one confidential proposal was found via Internet search by a third\n         party who then emailed its PI.\n\n                We sent a report to the agency, recommending actions to protect the federal interest. The\n         agency determined that the relevant Division Director should send the reviewer a warning letter\n         and he did.\n\n                 This memo, the attached Report of Investigation, and the attached warning letter constitute\n         the case closeout. Accordingly, this case is closed.\n\n\n\n\nNSF OIG Form 2 (11102)\n\x0c                   National Scienc:e Foundation \xe2\x80\xa2 Offic:e of Inspector Genetal\n                  4201 Wilson Boule\'\\tard~ Suite II-705, Arlington,Virginia 22230\n                                                     AUGOS"\'-~012\n\n\nTo:              Cora B. Marrett\n                 Deputy Director\n\nFrom:\n\n\nSubject:         Breach of Confidentiality Investigation Report All 070051\n\n\n        Attachedis our confidential\xc2\xb7u:\xc2\xb7LVe!;ttg.attc::>nrepo\'rt\nreviewer confidentiality against Dr.\nthe basis of oqr investigation, we CODlcluded\nproposals on the Internet.\n\n        We recomrilend that NSF ban Dr.- from servilig as a reviewer, advisor~ or\nconsultant for NSF for a period of 2 years, which we believe\xc2\xb7 will adequately protect NSPs\ninterests. The reasons for our recommended actions are described in detail in the report. In\nresponse to om <haft report, D r . - reiterated his previous statements from responses to our\ninquiry letter. We reviewed the response and detenninedthat itdid not warrant a revision of the\nreport\n\n       If you have any questions about the \xe2\x80\xa2investigation report or our recommended findings\nand dispositioD; I would be happy to discuss them with you. My staff point of contact for this\nmatteris-at70~~\n\n\n\nAttachment\n\ncc:     Lawrence Rudolph, General Counsel\n        Kathryn Sullivan, Office of the Director\'s Liaison to OIG\n\x0cCONFIDENTIAL                                                           CONFIDENTIAL\n\n\n                                     Executive Summary\n\nAllegation:          We received an allegation that a reviewer (the Subject) posted links to 22\n                     NSF proposals, all from the same panel, on a website.\n\nOIG Investigation:   Our investigation determined that the Subject provided confidential\n                     proposals to his wife for the purpose of posting the proposals on a private\n                     webspace allocated to him by his company. The webspace was not as private\n                     as the Subject claimed to have thought, and the proposals were available for\n                     public view through an Internet search engine. At least one confidential\n                     proposal was found by a third party via Google search. The third party\n                     subsequently discussed the proposal. with its Pl.\n\nOIG                  Prohibit the Subject from participating as a reviewer, advisor, or consultant\nRecommendation:      for NSF for a period of 2 years.\n\n\n\n\n                                                                                                  1\n\x0cCONFIDENTIAL                                                                          CONFIDENTIAL\n\n                  [R]espect the confidentiality ofall principal investigators and of\n                  other reviewers. Do not disclose their identities, the relative\n                  assessments or rankings of proposals by a peerreview panel, or\n                  other details about the peer review of proposals. Unauthorized\n                  disclosure of any confidential information could subject your [sic]\n                  to sanctions,\n\nWe confirmed that the Subject signed the 12JOP form for the review atiss{1e. w\n\n                                               OIG Investigation\n\n        We reviewed the materials                 the allegation, including the screenshot\nthrough which we verified, as of                2:01PM: 1) the NSF proposals were\ndiscoverable on the Internet via Google searc~ 1 and 2) Google had cached copiesofthe\nconfidential NSF material. 12 Although the panel ended in May, the Subject failed to promptly\ndelete the proposals~ which remained on his webspacewhere they were discovered bya third\nparcyY\n\n                                     Results ofCommur#cation withthe Subject\n\n        We wrote to the Subject14 seeking his response to the allegation and to related questions.\nWhen he failed to respond by the due date, we contacted him via emaiL He explained that he had\nlost our correspondence and asked us to forward an electronic eopy of the materials, which we\nsupplied.\n        Based on the Subject\'s cursory, initial response, he did not appear to understand the\ngravity oftheallegations. 15 We contacted him by phoneto obtain a more detailed response.\nDuring the call, he told us he had made a mistake; he said he pl.lt the proposals on what he\nthought was a secure web site, but i.t was evidently publicly available on the WorldWide Web:\nWe asked him to consider providing a more detailed written response to our questions; he\nagreed.\n        In his second written response, the Subject explained that he had previously believed that\nthe server space on which he placed the proposal~ "\\vas private and nofdiscoveiable\'\' 16 and tha(\nhe did not disclose the URL to anyone else.          He\n                                                  did state, however, that he gave the proposal files\nto his wife,so that she could assist him with File Transfer Protocol.(FTP) software to upload the\nproposals17 to the server/webspace; He indicated that "she did not read orshare the proposals\n\n\n                                             within the company\'s Internet domain. Specifically, they were at:\n                                              See also Tabl for one of the screenshots provided tp our office.\n     See Tab 1.\n13\n   We also determined that the PI ofone of the proposals had been contacted by a third party, who had found the\nPI\'s proposal via Google search; The PI was understandably concerned that the non-public inteUectual property\ncontained in the proposal was readily available via Internet search, and that someone unaffiliated. with NSF had read\nthe proposaL\n14\n   SeeTab4.\n15\n   See TabS,\nh> Tab (},page 1.\n17\n  The primary use ofFTP software is to enable placing documents onto a web server that. as the name implies,\nserves documents ex1:emally to the web.\n\n\n                                                                                                                    3\n\x0cCONFIDENTIAL                                                                             CONFIDENTIAL\n\n\xc2\xabserver". which he believed \\Vas something wholly separate (and therefore undiscoverable) from\nthe website.\n\n                                      Other documents in the Company webspace\n\n         While reviewing the Subject\'s webspace,24 we determined that one ofhis webpages is\nprotected from public viewing via a privacy mechanism, the website\'s robots.txt. 25 This appears\nto illustrate that the Subject took more care to protect a personal page on his webspace, a space\nhe believed to be private,26 than he did to protect confidential NSF proposals.27\n\n                                                 OIG Assessment\n\n         Our investigation revealed that the Subject had 22 confidential NSF proposals posted on\nhis company\'s webspace which caused the proposals to be publically available via an Internet \xc2\xb7\nsearch engine. During our investigation, we also determined that the Subject gave access to the\nconfidential proposals to his wife, contra to NSF rules? 8 Similarly, we note that although the\n~1 was held on M a y - \' the proposals were still on the Subject\'s webspace on June 21,\n      29\n. . . and thus available to the public through an Internet search. These actions constitute\nviolations ofNSF Policy.\n         Given the Subject\'s area of expertise and the use of a privacy mechanism to protect some\nof the information on his webspace> we are not convinced of the plausibility of the Subject\'s\nassertions that be believed his webspace was private.\n         The seriousness of making confidential NSf\' proposals available to the Subject\'s wife and\nultimately the public is exacerbated by the fact that one ofthe Principal Investigators (Pis)\nbecame aware that his/her proposal was accessible online when contacted by a third party to\ndiscuss the proposed research. The PI expressed a great deal of concern about the intellectual\nwork which was not supposed to have been public.\n         We conclude that he recklessly gave his wife access to the proposals and caused the\nproposals to be uploaded onto a server connected to the Internet which resulted in at least one\nconfidential proposal to be viewed by an unrelated third party.\n\n                                                Recommendations\n\n       The full extent to which NSF Pis were harmed by the Subject\'s actions cannot be\nassessed. We do know that at least one person contacted an NSF PI with questions about the PI\'s\nconfidential NSF proposal.\n\n\n24\n      The same web space on which he had the NSF proposals placed.\n25\n      A "robots.M", or Robots Exclusion Protocol, is an extremely common tool in the form of a text file. The file\'s\ninstructions (to web crawlers) list specific pages that a website\'s            does not want them to index. See Tab 8\nfor an example, the robots.txt that is utilized by the site at\n26\n      See Tab 6, page L                                ,\n27\n      See Tab 8.\n28\n      Despite signing a conflict-or-interest form (1230P), a certification which explains NSF\'s confidentiality rules and\ndespite viewing banners which stressed the importance of privacy, including the importance of destro:;-ing copies\nafter conclusion of a panel.\n:1.\'1 More than a month after the panel concluded.\n\n\n\n                                                                                                                        5\n\x0cCONFIDENTIAL                                                         CONFIDENTIAL\n\n\nAttachments\n\n  1.   Screenshot of Website containing proposals.\n  2.   Screenshots from NSF FastLane (From the Demonstration Site)\n  3.   Form 1230P\n  4.   Letter to the Subject\n  5.   Subject\'s Response 1\n  6.   Subject\'s Response 2\n  7.   Biographies of the Subject from the Company\'s website\n  8.   Error message and the Company\'s Robots.txt\n  9.   The Subject\'s Response to the Draft ROI\n\n\n\n\n                                                                                    7\n\x0c                                    NATIONAL SCIENCE FOUNDATION\n                                        4201 WILSON BOULEVARD\n                                      ARLINGTON, VIRGINIA 22230\n\n\n\n\nDecember 18, 2012\n\n\n\n\nIt has come to my attention that 22 prcJPC>sats    reviewed for the National Science\nFoundation\'s                                                                            inMay2cJI\n                                                       While this posting may have been\nunintentional, I am writing to ensure       you are aware ofNSFs policies and requirements for\nyour services as a panelist. In addition, I want to remind you of your obligation to maintain the\nconfidentiality of proposals and applicants (in addition to the identities of reviewers and the\nreview process).\n\nThe Foundation receives proposals in confidence and protects the confidentiality of their\ncontents. Prior to your May  2cJI panel service you certified that you understood NSF policies\nand that you would not divulge or use confidential information.\n\nNSF requires specific protections for sensitive information related to the work we perform,\nparticularly the peer review process and the confidential proposals we receive for review.\nSafeguarding proposals and preventing the disclosure of this information is essential to ensure\nwe retain the scientific community\'s and the public\'s trust.\n\nWe take the protection of the NSF peer review process very seriously and continue to work to\nprotect and secure NSF information. If you have any questions, please contact me.\n\n\n\n\n                                              Division Director\n\n\n\nEnclosed copy o f - signed 1230P\n\x0c                                                                              National Science Foundation\n                                                                                         Arlington, VA 22230\n\n                                                  Conflict-of-Interests and Confidentiality Statement for NSF Panelists\n                                                       Includes members of proposal review panels; site visitors; and committee of visitors.\n\n~f~i:.Y~!i~:@)UJ.i.l.~[fifJ~I\xc2\xa7i@~Li.it:\xc2\xa3\'~~~~~~!{~~\xc2\xa71"1i~-ltr~11~~y~~~~~!t?iiiftJ0i~i:SMl~:\\\n Your designation as an NSF panelist requires that you be aware of potential conflict situations that may arise. Read the examples of potentially\n biasing affiliations or relationships listed on the second page or back of this form. As an NSF panelist, you will be asked to review applicant\n grant proposals. You might have a conflict with one or more. Should any conflict arise during your term, you must bring the matter to the\n attention of the NSF program officer who asked you to serve as a panelist This. official will determine how the matter should be handled and will\n tell you what further steps, if any, to take.\n\nt2WN6~oswot~~~n-S((Il!a~~ml~[!lf]~~~l$l~-~m~B!\nlf}r"\'iJ;"[i;~~~ii~gi\\i~~ you access to information not gene         available to the public, you must not use that information for your personal\n benefit or make it available for the personal benefit of any other individual or organization. This is to be distinguished from the entirely\n appropriate general benefit of learning more about the Foundation, learning from other panel members, or becoming better acquainted with the\n state of a given discipline.\n\n              ..\n~"":V"~ ~\'\'-\'Kt1i"""-t.l"\'~~""\'-M~\'i\'.:.\xc2\xb7::i.r.u:;.\'i!1io;o;~...v...i::~\xe2\x80\xa2!l;l:.."\'ij"\'b~-~\xc2\xb7\xe2\x80\xa2\';;;;:g""jj-"\'~"-"\'l:~Jiii!:~il\xc2\xb7~~~""\'""\'""\'\'&~~"\'"\'~illi~""""""\'"""\'"\'";\',w,;;;;;-,\n~tti~~~~~j~~M--~~~@,_,9.u..~~...\'!~JrmJ!~IJ!1.!~1lbJ..!JJ~!~I!t..U.JJr~JLGJi@ 8!81!~9~~!J..P.!~~~!~ -\xc2\xb7~~~~.JY-~~~Ji.~~.r~M11-~~~~:~~~~i{~\xc2\xb7;&:/f~--"l;:l:;~~-~l-\':\n                                                                                                                                                                                        ..\xe2\x80\xa2,"\'"\'"\'".,-.:\'\xc2\xb7\xc2\xb7l\xc2\xb7;?\':i\nThe Foundation receives proposals in confidence and protects the confidentiality of their contents. For this reason, you must not copy, quote, or\notherwise use or disclose to anyone, including your graduate students or post-doctoral or research associates, any material from any proposal\nyou are .asked to review. If you believe a colleague can make a substantial contribution to the review, please obtain permission from the NSF\nprogram officer before disclosing either the contents of the proposal or the name of any applicant or principal investigator.\n\n\'\'li\'"";;;\'-\'-""!l:ld\xc2\xb7\xc2\xb7\xc2\xb7--\xc2\xb7\xc2\xb7tl   ll~;~\xc2\xb7\xc2\xb7:t:\xe2\x80\xa2""<..::itcr~.>W"D"\'\'-\xc2\xb7\xc2\xb7!ii>\'ll!\xc2\xb7:;;;.,..;~"~:~smlru\'r\xc2\xb7 .~llil\xc2\xb7\'\xc2\xb7\'\xc2\xb7-a:~w.J;Jt\xe2\x80\xa2"~~~-,..~~.:i\xc2\xb7\'"\'b.j!\'lfij\'"\'""\'~~~\'""\'\xc2\xb7\xc2\xb7---\xe2\x80\xa2\'""\'~\'.:<;,<o1!;~w\xc2\xb7\xe2\x80\xa2e:-\xc2\xa3.r.t;,,~,,,\n                                                                                         4\n\njr1~9-,.llJJ~--~Il-:o-~~.---~-!\'.J.;~9.J~~~~~\xc2\xa5 @n~..B-~&~~~,J.~llm~~~~~!&\xc2\xa7~~~~-j\xc2\xa7\xc2\xb7 -~V~~~~tgl~~~i\'Jf~\'fo\\~~.;\xc2\xa7:j..:f~~~Ilf.f~~\'-~r-:\xc2\xb7\nNSF keeps reviews and your identity as a reviewer of specific proposals confidential to the maximum extent possible, except that we routinely\nsend to principal investigators (PI\'s) reviews oftheir own proposals without your name, affiliation, or other Identifying Information. Please\nresp~rit ttii{pqnfide!liialit)i of ail\'priilcipal il1v~tigato.rs <!rid of other reviewers. po not disclriseJheir ideniities; ihe relative assessments or\nrarikirigs\'of prop\xc2\xb7osals by a peer review panel;\' or oth.ei\' details about the peer review of prop\'osals:\n\nUriailthbrizeil dlscio5ure ofany cilnfidential infOrmation could subject your to sanctions.\n\n\n\n\n                                                                                             above, that\n\n\n\n\nMember\'s Name\n\n\n\n\nNameofPaneiJIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII(_\n\n\n\n\nNSF Form 1230P (5/08)\nFile In Panel File                                                                                                                       All Previous Editions are Obsolete\n\x0c'